Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country blocking broken?

Hi!

I've recently tried to set up inbound country blocking on my XG home installation (updated to the latest MR) according to the KB sample. Therefore I've created the following firewall rule

Source: WAN
Network: (country list including the elements "China" and "Russia")

Target: LAN
Network: Any

Action: Drop

Logging: Log events

I've also moved this rule to the top of the list to ensure that I don't have any conflicting rules.

Now if I try to test these rules with either http://www.websitepulse.com/help/testtools.china-test.html or some online ICMP tools originating from Russia, I get positive results (where I've expected to see a connection drop). Also I don't see any connection drops or similar events in my log. The "traffic counter" beside my firewall rule is also stalling at "0b/0b".

The chinese test site originates from several different IPs which are clearly based in China (203.130.38.1, for example).

Am I missing something here? 



This thread was automatically locked due to age.
Parents
  • Oxident,

    I think that ICMP is enabled on WAN under Device Access. Can you create an ACL blocking icmp using Country blocking and chec if it works?

    To block HTTP requests, you need to create a Business Application Rule and use "block from" field but as you can see, Country Lists or Groups cannot be used.

    [:|]

Reply
  • Oxident,

    I think that ICMP is enabled on WAN under Device Access. Can you create an ACL blocking icmp using Country blocking and chec if it works?

    To block HTTP requests, you need to create a Business Application Rule and use "block from" field but as you can see, Country Lists or Groups cannot be used.

    [:|]

Children
No Data